search

aruba / aoscx-ansible-collection

Ansible collections for AOS-CX switches 
48 stars 23 forks source link

module: aoscx_acl - tcp_flags - BUG #119

Open williambargent opened 2 days ago

williambargent commented 2 days ago

Hello CX Ansible Team,

I'm having trouble using the tcp_flags parameter now that the tcp_established bool has been depreciated.

I have the following in my playbook:

    - name: "Deploy new access-list"
      aoscx_acl:
        type: ipv4
        state: update    <-- (have also tested 'create')
        name: "VLAN"
        acl_entries: "{{ v4_acl_entries }}"

This v4_acl_entries variable is stored in a separate file in the following format:

v4_acl_entries:
  '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
  '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

This seems to occur for any list item: ack, cwr, ece, established, fin, psh, rst, syn, urg. I have been following the documentation page: https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

The error I receive: 

The full traceback is:
  File "/tmp/ansible_aoscx_acl_payload_0abmk9rn/ansible_aoscx_acl_payload.zip/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py", line 632, in main
  File "/home/admin/admin_wb140/.local/lib/python3.9/site-packages/pyaoscx/acl_entry.py", line 198, in __init__
    raise ParameterError(
fatal: [rtr-core]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "acl_entries": {
                "100": {
                    "action": "permit",
                    "comment": "PERMIT ESTABLISHED",
                    "dst_ip": "any",
                    "protocol": "any",
                    "src_ip": "any",
                    "tcp_flags": [
                        "established"
                    ]
                },
                "200": {
                    "action": "deny",
                    "comment": "DEFAULT DENY",
                    "count": true,
                    "dst_ip": "any",
                    "log": true,
                    "protocol": "any",
                    "src_ip": "any"
                }
            },
            "name": "VLAN",
            "state": "update",
            "type": "ipv4"
        }
    },
    "msg": "'PARAMETER ERROR: [ACL VLAN/ipv4 - Entry 100] Parameters not supported: tcp_established'"
}

My versions:

ansible [core 2.15.12]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/admin/admin_wb140/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/admin/admin_wb140/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/admin/admin_wb140/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/admin/admin_wb140/.local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True
ansible.netcommon             7.1.0
arubanetworks.aoscx          4.4.0
pyaoscx.                               2.6.0
alagoutte commented 2 days ago

Hi @williambargent

What switch model and firmware ?

williambargent commented 2 days ago

Good evening @alagoutte,

I have tested with multiple 8360's, the firmware is 10.13.1040, it also occurred on 10.13.1031.

alagoutte commented 2 days ago

Can you try to replace

v4_acl_entries:
  '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
  '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

protocol: tcp by protocol: 6 ? (from ansible aos cx doc it is int not a string...) and on the output, talk about protocol any

for the error "Parameters not supported: ", it is coming from pyaoscx module about some capabilities not supported

williambargent commented 1 day ago

Thanks, I have tested with protocol: 6 and protocol: any however I get the same error.

The documentation that I have been referring to mentions that protocol is a str value. https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

alagoutte commented 18 hours ago

Thanks, I have tested with protocol: 6 and protocol: any however I get the same error.

The documentation that I have been referring to mentions that protocol is a str value. https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

but the code say "int" https://github.com/aruba/aoscx-ansible-collection/blob/master/plugins/modules/aoscx_acl.py#L265 :) (i think the doc is regenerated... @tchiapuziowong

you have always "protocol": "any", on verbose ?